Feb 27

Wierd Trojan’s

By Slappa
Add comments
Nerdy Shit, Small Business Server, Windows 2003

Came across a wierd problem today.

No computers could access the network. No critical events in the event logs.

Found these event’s in the Security logs.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: BLAH
Domain: BLAHDOMAIN

I eventially found the the domain controller local security had been edited. It should look something like this.
Local Security Policy
I found that only ENTERPRISE DOMAIN CONTROLLERS was listed. which explained why the computers wouldn’t connect to the server.

I used the following command to reset the domain controller policy.
dcgpofix /target:both

imediately everyone was able to connect to the network again. I started wondering how or who would have changed the policy. to find out 5 minutes later, the policy again only had the ENTERPRISE DOMAIN CONTROLLERS listed and nobody could connect to the network. Anyway. After patching the box and fumbling around. i found these to Trojan’s to be the cause.

C:\WINDOWS\SYSTEM32\RESVS.EXE
C:\WINDOWS\SYSTEM\SYSTEM.EXE

Booted into safe mode. removed RESVS.exe from Run key. and removed SYSTEM.EXE service.
Rebooted and ran dcgpofix /target:both. and everything is honkey dorey. Symantec and Trend did not find these infections.

This entry was posted on Tuesday, February 27th, 2007 at 3:20 pm and is filed under Nerdy Shit, Small Business Server, Windows 2003. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.